Bug 1820627 (CVE-2020-7065) - CVE-2020-7065 php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution
Summary: CVE-2020-7065 php: Using mb_strtolower() function with UTF-32LE encoding lead...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-7065
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1820629 1821129 1821130 1857713
Blocks: 1820607
TreeView+ depends on / blocked
 
Reported: 2020-04-03 13:31 UTC by Dhananjay Arunesh
Modified: 2023-10-06 19:34 UTC (History)
9 users (show)

Fixed In Version: php 7.3.16, php 7.4.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP while using the mb_strtolower() function with UTF-32LE encoding, where certain invalid strings cause PHP to overwrite the stack-allocated buffer. This flaw leads to memory corruption, crashes, and potential code execution.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3662 0 None None None 2020-09-08 09:47:33 UTC
Red Hat Product Errata RHSA-2020:5275 0 None None None 2020-12-01 12:03:33 UTC

Description Dhananjay Arunesh 2020-04-03 13:31:08 UTC
A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.

Comment 1 Dhananjay Arunesh 2020-04-03 13:31:40 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1820629]

Comment 2 Remi Collet 2020-04-03 13:48:23 UTC
-A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34
+A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4

Comment 4 Huzaifa S. Sidhpurwala 2020-04-06 06:33:29 UTC
It is difficult to trigger these issues in production code, and also depends on the way the PHP script is written. Therefore this issue has been downgraded to having moderate impact.

Comment 5 Huzaifa S. Sidhpurwala 2020-04-06 06:35:17 UTC
Upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=69155120e68d2e614d5c300974a1a5610cfa2e8b

Comment 6 Huzaifa S. Sidhpurwala 2020-04-06 06:35:21 UTC
External References:

https://www.php.net/ChangeLog-7.php#PHP_7_3
https://www.php.net/ChangeLog-7.php#PHP_7_4

Comment 12 errata-xmlrpc 2020-09-08 09:47:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662

Comment 13 Product Security DevOps Team 2020-09-08 13:19:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7065

Comment 14 errata-xmlrpc 2020-12-01 12:03:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5275 https://access.redhat.com/errata/RHSA-2020:5275


Note You need to log in before you can comment on or make changes to this bug.